Microsoft and Financial Services Industry Leaders Target Cybercriminal Operations from Zeus Botnets

In our most complex effort to disrupt botnets to date, Microsoft’s Digital Crimes Unit – in collaboration with Financial Services – Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association, as well as Kyrus Tech Inc. – has executed a coordinated global action against some of the worst known cybercrime operations fueling online fraud and identity theft today. With this legal and technical action, a number of the most harmful botnets using the Zeus family of malware worldwide have been disrupted in an unprecedented, proactive cross-industry operation against this cybercriminal organization.

As you may have read, after a months-long investigation, successful pleading before the U.S. District Court for the Eastern District of New York and a coordinated seizure of command and control servers in Scranton, Penn. and Lombard, Ill., some of the worst known Zeus botnets were disrupted by Microsoft and our partners worldwide. Valuable evidence and intelligence gained in the operation will be used both to help rescue peoples’ computers from the control of Zeus, as well as in an ongoing effort to undermine the cybercriminal organization and help identify those responsible.

Cybercriminals have built hundreds of botnets using variants of Zeus malware. For this action – codenamed Operation b71 – we focused on botnets using Zeus, SpyEye and Ice-IX variants of the Zeus family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in damages. Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets. Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain. 

As alleged in the complaint, Zeus malware uses a tactic called keylogging, which records a person’s every computer keystroke to monitor online activity and gain access to usernames and passwords in order to steal victims’ identities, withdraw money from their bank accounts and make online purchases.  Microsoft researchers found that once a computer is infected with Zeus, the malware automatically starts keylogging when a person types in the name of a financial or e-commerce institution, allowing criminals to gain access to people’s online accounts from that point forward. Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets. These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit. Overall, Microsoft has detected more than 13 million suspected infections of this malware worldwide, with more than 3 million in the United States alone.

Similar to the successful Waledac, Rustock and Kelihos botnet takedowns, Microsoft, joined by our partners, filed suit on March 19, 2012 against John Does 1-39, asking the court for permission to sever the command and control structures of these Zeus botnets. The suit claimed similar violations made in Microsoft’s previous botnet cases, including the Lanham Act, in order to physically seize servers from hosting providers and preserve evidence. In addition, because Zeus relies on a criminal network to exploit users, we also applied a well-established law known as the Racketeer Influenced and Corrupt Organizations (RICO) Act in the case as the legal basis for this operation. In criminal court cases, the RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets. By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the “organization” were not necessarily part of the core enterprise.

On March 23, Microsoft, FS-ISAC and NACHA – escorted by the U.S. Marshals – successfully executed a coordinated physical seizure of command and control servers in two hosting locations to seize and preserve valuable data and virtual evidence from the botnets for the case. We took down two IP addresses behind the Zeus ‘command and control’ structure. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers.

We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time. Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely. The operation will help further investigations against those responsible for the threat and help us better protect victims.

This is the fourth high-profile takedown operation in Microsoft’s Project MARS (Microsoft Active Response for Security) initiative – a joint effort between DCU, Microsoft Malware Protection Center (MMPC), Microsoft Support and the Trustworthy Computing team to disrupt botnets and begin to undo the damage they cause by helping victims regain control of their infected computers. As with our prior takedowns, Microsoft will use intelligence gained from this operation to partner with Internet service providers (ISPs) and Community Emergency Response Teams (CERTs) around the world to work to rescue peoples’ computers from Zeus’ control. This intelligence will help quickly reduce the size of the threat that each of these botnets pose, and make the Internet safer for consumers and businesses worldwide.

There are steps people and businesses can take to better protect themselves from becoming victims of malware, fraud and identity theft. Everyone who uses a computer should exercise safe practices, such as running up to date and legitimate software, firewall protection and anti-virus and anti-malware protection. People should also exercise caution when surfing the Web or clicking on ads or e-mail attachments that may prove to be malicious. (More information about staying safe online can be found at https://www.microsoft.com/protect.) For those worried that their computer might be infected, Microsoft offers free information and malware cleaning tools at https://support.microsoft.com/botnets that can help people remove Zeus and other malware from their computers.

In addition to our co-plaintiffs, FS-ISAC and NACHA, Microsoft’s filing in this case is supported by Kyrus Tech Inc., which served as a declarant.  Other organizations, including F-Secure, also provided supporting information for the case.

This case and operation are ongoing, and we’ll continue to provide updates as they become available.  To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Posted by Richard Domingues Boscovich
Senior Attorney, Microsoft Digital Crimes Unit